package com.cntaiping.fsc.security.config;

import com.cntaiping.fsc.security.config.TpSecurityProperties;
import com.cntaiping.fsc.security.filter.reactive.TpServerIpAddressFilter;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest;
import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository;
import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter;
import org.springframework.security.web.server.savedrequest.CookieServerRequestCache;
import org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsConfigurationSource;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

@EnableConfigurationProperties({SecurityProperties.class, TpSecurityProperties.class})
@Configuration
@ConditionalOnClass({EnableWebFluxSecurity.class, ServerAuthenticationEntryPoint.class})
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
/* loaded from: input_file:com/cntaiping/fsc/security/config/TpServerSecurityConfig.class */
public class TpServerSecurityConfig {
    private static final Logger LOG = LoggerFactory.getLogger(TpServerSecurityConfig.class);
    protected final TpSecurityProperties tpSecurity;

    /* loaded from: input_file:com/cntaiping/fsc/security/config/TpServerSecurityConfig$GlobalCorsConfigurationSource.class */
    public static class GlobalCorsConfigurationSource implements CorsConfigurationSource {
        private final CorsConfiguration config;

        public GlobalCorsConfigurationSource(CorsConfiguration corsConfiguration) {
            this.config = corsConfiguration;
        }

        public CorsConfiguration getCorsConfiguration(ServerWebExchange serverWebExchange) {
            return this.config;
        }
    }

    /* loaded from: input_file:com/cntaiping/fsc/security/config/TpServerSecurityConfig$IgnoredPathServerWebExchangeMatcher.class */
    public class IgnoredPathServerWebExchangeMatcher implements ServerWebExchangeMatcher {
        private List<String> ignored;
        private volatile ServerWebExchangeMatcher delegate;

        public IgnoredPathServerWebExchangeMatcher(TpSecurityProperties tpSecurityProperties) {
            this.ignored = getIgnored(tpSecurityProperties);
            initMatchers();
        }

        public Mono<ServerWebExchangeMatcher.MatchResult> matches(ServerWebExchange serverWebExchange) {
            return this.delegate.matches(serverWebExchange).flatMap(matchResult -> {
                return matchResult.isMatch() ? ServerWebExchangeMatcher.MatchResult.notMatch() : ServerWebExchangeMatcher.MatchResult.match();
            });
        }

        private List<String> getIgnored(TpSecurityProperties tpSecurityProperties) {
            ArrayList arrayList = new ArrayList(tpSecurityProperties.getIgnored());
            if (arrayList.isEmpty()) {
                arrayList.addAll(TpSecurityProperties.DEFAULT_IGNORED);
            } else if (arrayList.contains("none")) {
                arrayList.remove("none");
            }
            return arrayList;
        }

        private void initMatchers() {
            this.delegate = new OrServerWebExchangeMatcher((List) this.ignored.stream().map(PathPatternParserServerWebExchangeMatcher::new).collect(Collectors.toList()));
        }
    }

    public TpServerSecurityConfig(TpSecurityProperties tpSecurityProperties) {
        LOG.info("Init TpServerHttpSecurity!");
        this.tpSecurity = tpSecurityProperties;
    }

    @ConditionalOnProperty(name = {"app.security.enableIpAddressFilter"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public TpServerIpAddressFilter tpIpAddressFilter() {
        LOG.info("Init TpServerHttpSecurity create TpServerIpAddressFilter!");
        return new TpServerIpAddressFilter(this.tpSecurity.getAllowList(), this.tpSecurity.getDenyList());
    }

    @Bean
    public ServerCsrfTokenRepository serverCsrfTokenRepository() {
        LOG.info("Init TpServerHttpSecurity create serverCsrfTokenRepository!");
        return CookieServerCsrfTokenRepository.withHttpOnlyFalse();
    }

    @Bean({"ignoredPathMatcher"})
    public PathMatcher ignoredPathMatcher() {
        LOG.info("Init TpServerHttpSecurity ignoredPathMatcher.");
        return new AntPathMatcher();
    }

    private ServerHttpSecurity initHttpSecurity(ServerHttpSecurity serverHttpSecurity) throws Exception {
        ServerHttpSecurity cors;
        if (this.tpSecurity.isRequireSsl()) {
            serverHttpSecurity = serverHttpSecurity.redirectToHttps(Customizer.withDefaults());
        }
        ServerHttpSecurity csrf = this.tpSecurity.isEnableCsrf() ? serverHttpSecurity.csrf(csrfSpec -> {
            csrfSpec.csrfTokenRepository(serverCsrfTokenRepository());
        }) : serverHttpSecurity.csrf((v0) -> {
            v0.disable();
        });
        if (this.tpSecurity.isEnableCors()) {
            GlobalCorsConfigurationSource globalCorsConfigurationSource = new GlobalCorsConfigurationSource(this.tpSecurity.getCors());
            cors = csrf.cors(corsSpec -> {
                corsSpec.configurationSource(globalCorsConfigurationSource);
            });
        } else {
            cors = csrf.cors((v0) -> {
                v0.disable();
            });
        }
        return configureHeaders(cors, this.tpSecurity.getHeaders()).securityMatcher(new IgnoredPathServerWebExchangeMatcher(this.tpSecurity));
    }

    private ServerHttpSecurity configureHeaders(ServerHttpSecurity serverHttpSecurity, TpSecurityProperties.Headers headers) throws Exception {
        if (headers.getHsts() != TpSecurityProperties.Headers.HSTS.NONE) {
            boolean z = headers.getHsts() == TpSecurityProperties.Headers.HSTS.ALL;
            serverHttpSecurity = serverHttpSecurity.headers(headerSpec -> {
                headerSpec.hsts(hstsSpec -> {
                    hstsSpec.includeSubdomains(z);
                });
            });
        }
        if (!headers.isContentType()) {
            serverHttpSecurity = serverHttpSecurity.headers(headerSpec2 -> {
                headerSpec2.contentTypeOptions((v0) -> {
                    v0.disable();
                });
            });
        }
        if (StringUtils.hasText(headers.getContentSecurityPolicy())) {
            String contentSecurityPolicy = headers.getContentSecurityPolicy();
            serverHttpSecurity = headers.getContentSecurityPolicyMode() == TpSecurityProperties.Headers.ContentSecurityPolicyMode.DEFAULT ? serverHttpSecurity.headers(headerSpec3 -> {
                headerSpec3.contentSecurityPolicy(contentSecurityPolicySpec -> {
                    contentSecurityPolicySpec.policyDirectives(contentSecurityPolicy);
                });
            }) : serverHttpSecurity.headers(headerSpec4 -> {
                headerSpec4.contentSecurityPolicy(contentSecurityPolicySpec -> {
                    contentSecurityPolicySpec.policyDirectives(contentSecurityPolicy);
                    contentSecurityPolicySpec.reportOnly(true);
                });
            });
        }
        if (!headers.isXss()) {
            serverHttpSecurity = serverHttpSecurity.headers(headerSpec5 -> {
                headerSpec5.xssProtection((v0) -> {
                    v0.disable();
                });
            });
        }
        if (!headers.isCache()) {
            serverHttpSecurity = serverHttpSecurity.headers(headerSpec6 -> {
                headerSpec6.cache((v0) -> {
                    v0.disable();
                });
            });
        }
        return headers.isFrame() ? serverHttpSecurity.headers(headerSpec7 -> {
            headerSpec7.frameOptions(frameOptionsSpec -> {
                frameOptionsSpec.mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN);
            });
        }) : serverHttpSecurity.headers(headerSpec8 -> {
            headerSpec8.frameOptions((v0) -> {
                v0.disable();
            });
        });
    }

    @ConditionalOnProperty(value = {"app.security.basic.enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    @Order(2147483642)
    public SecurityWebFilterChain tpSecurityFilterChain(ServerHttpSecurity serverHttpSecurity) throws Exception {
        return initHttpSecurity(serverHttpSecurity).build();
    }

    @ConditionalOnProperty(value = {"app.security.basic.enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    @Order(2147483641)
    public SecurityWebFilterChain actuatorSecurityFilterChain(ServerHttpSecurity serverHttpSecurity) throws Exception {
        serverHttpSecurity.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeExchange(authorizeExchangeSpec -> {
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.matchers(new ServerWebExchangeMatcher[]{EndpointRequest.to(new Class[]{HealthEndpoint.class})})).permitAll();
            ((ServerHttpSecurity.AuthorizeExchangeSpec.Access) authorizeExchangeSpec.matchers(new ServerWebExchangeMatcher[]{EndpointRequest.toAnyEndpoint()})).authenticated();
        });
        serverHttpSecurity.requestCache(requestCacheSpec -> {
            requestCacheSpec.requestCache(new CookieServerRequestCache());
        });
        serverHttpSecurity.httpBasic(Customizer.withDefaults());
        return serverHttpSecurity.build();
    }
}
